think about long time compile packages such as gcc,glibc (ok you can make a tbz2 and distribute to all servers, this however require time) or configuration changes nedeed after updating packages such as baselayout, apache new style, php new style, mysql upgrade from 4.0.x to 4.1.x, openvpn changes the configuration way at least three time in the last year ecc...

In debian and centos there are only security update no configuration changes are nedeed (few minutes to keep the server updated), additionaly in centos/rhel there are periodic major update for example I recently updated centos/rhel from update2 to update3, this update was completed in about 30 minutes and yet no configuration changes are nedeed.

I think if you give a cost to the time nedeed to update and make the nedeed configuration changes on gentoo servers at the end of the year the total cost of ownership excedees centos/rhel and debian servers even if you have to pay an annual fee (rhel case),

regards
drakkan

Last edited by drakkan on Sat Apr 22, 2006 5:24 pm; edited 1 time in total

openvpn changes the configuration way at least three time in the last year

Not true. I've only changed it once and that was to fix bugs that people filed that could not be solved with the previous layout.

Quote:

In debian and centos there are only security update no configuration changes are nedeed (few minutes to keep the server updated), additionaly in centos/rhel there are periodic major update for example I recently updated centos/rhel from update2 to update3, this update was completed in about 30 minutes and yet no configuration changes are nedeed.

I think there's a tool called glsa-check which maybe what you're after.

Quote:

I think if you give a cost to the time nedeed to update and make the nedeed configuration changes on gentoo servers at the end of the year the total cost of ownership excedees centos/rhel and debian servers even if you have to pay an annual fee (rhel case)

Not true. I've only changed it once and that was to fix bugs that people filed that could not be solved with the previous layout.

as I remember the first time I installed openvpn the init script expected conf file in /etc/openvpn/<directory>/file.conf after some update the file was expected in /etc/openvpn, now I have to create /etc/init.d/openvpn.file link for additional instances

Quote:

I think there's a tool called glsa-check which maybe what you're after.

Personally I run Gentoo on all my servers and generally have little need to mess around with configs. Granted, when an application like apache changes it's entire config layout then it's a pain, but heh. That's life.

I run gentoo on many servers too, I known that 7 years support for each release as rhel/centos is not an option (ubuntu dapper too will have 5 years support), however in distro such as debian I have to update between major version only when a new release is out, think about mysql 4.0.x to 4.1.x update if you have 5GB databases, it's really a pain, after this updated is completed apache changes layout, after apache update is completed php changes layout and so on ..., I would like to do major updates one time every x months and then only security

Not true. I've only changed it once and that was to fix bugs that people filed that could not be solved with the previous layout.

as I remember the first time I installed openvpn the init script expected conf file in /etc/openvpn/<directory>/file.conf after some update the file was expected in /etc/openvpn, now I have to create /etc/init.d/openvpn.file link for additional instances

Right. That was one change - you said three
Anyway, there's no need for any more config layout chances.
If you want the init script to start everything again, file a bug and assign it to me.
Should be quite easy, without requiring any config changes Well, aside from a new var in conf.d/openvpn
OPENVPN_START_ALL="yes|no"
for example.

Quote:

I run gentoo on many servers too, I known that 7 years support for each release as rhel/centos is not an option (ubuntu dapper too will have 5 years support), however in distro such as debian I have to update between major version only when a new release is out, think about mysql 4.0.x to 4.1.x update if you have 5GB databases, it's really a pain, after this updated is completed apache changes layout, after apache update is completed php changes layout and so on ..., I would like to do major updates one time every x months and then only security

Ok, might be correct as of today for openvpn, but i think drakkans point is a bit different.
As he already wrote, we had (in the not so far past)
- apache 'full' change with *a lot* of trouble due to that across the userbase
- mysql change with quite some issues because of a -r bump, nearly as much as above
- php 'full' change; i'm sure we'll see some issues the next weeks due to this; hope for the best
- openvpn
- baselayout changes (latest when .12 hits stable, correct?)
- others i might have overseen

So in a way drakkans point of view is valid.
Nevertheless i'll always prefer Gentoo over SuSE or Redhat. At least the 'list of annoying things' with Gentoo are spread over the year instead of when a new release is there for the other ones._________________Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself

But ontopic, I agree that there is a need for a "ultra stable" tree for servers or similar hardware deployment. Gentoo just takes too much maintanance if you're having more then ~10 servers. Respect for the topicstarter for having 20
If anyone wants to have some real Gentoo deployment in the busyness, we should make it friendly enough so maintaining it on 1, 20 or 10 000 servers virtually makes no difference.

No-one involved in Gentoo is holding a gun to your head to force you to update packages at regular intervals (or if they are, you should call the police ); if you want to update only every x months then just run emerge sync every x months.

let me tell you I completely agree with this. I've been trying to explain that point of view to many people in another forum but they seem to be too young to understand. I love Gentoo, but I'll never use it on a server again unless GLEP 19 is alive. Unfortunately this means that every security update should be backported and ebuild life increased a lot. I don't see how this could be achieved if people in charge of this GLEP don't reply to email offering help.
So for now, Gentoo is definitely not a good distro for server.

PS: like a lot of people, there are many packages I've been forced to upgrade due to security reason. One of the worse change for me was amavisd-new with a +3000 lines config file, so don't tell me it's not time consuming._________________Gentoo won't be suitable for server's use until GLEP 19 is alive.

You get to compare Gentoo against RHEL. I don't. But that's not really a fair comparison. You're paying TOP DOLLAR, and you're paying it EXACTLY for what your complaining about: stability. I mean, be honest. I've done the math. If you go for RHEL, you're paying more for an OS than buying Windows Server, and keeping up with all of its upgrades over the 5 year cycle. (Don't start with me on the Microsoft angle; I'm JUST comparing commercial server OS's based on cost.)

If you compare Gentoo against other free (as in cost) distros, the comparison needs to be made -- sorry to say -- with glsa-check in mind. That's what it's for, regardless of whether it's "official" or not. Look, if you want "official," are you really concerned with Gentoo anyway? It's designed from the ground up to be a "tweakers" distro. In my opinion, the great thing about Gentoo is how much it -- in general -- tries to keep close to the original packaging from upstream. To me, THAT'S "official."

What drove me away from using Ubuntu when I settled on a distro a couple years ago was the fact that their Postfix package went in chroot'ed. I didn't want that. Why were they making that decision for me? Yes, I could back it out; I just didn't like the implication. What other assumptions were they going to make for me? And the problem with Ubuntu was the same problem with Debian. It's really the same distro. So that left them out of my consideration as well.

So, for that "official-ness" of keeping close to upstream, I put up with other things. One of these is the lack of "security-only" type updating. Like I said, though, this is addressed by GLEP 19. I use it, with a sync, every night, on all my machines. Like someone else said, an even better idea would be to keep your own portage tree. And the coup de grace would be, like someone else said, to compile your own binary changes. It's not as "clean" as SuSE's approach, but it would work. Like everything else in Gentoo, it's more manual than some other distro's. (But that's the fun, right?) For 20 machines, I'd do this for Red Hat or SuSE. (In fact, I did it for only 4.)

Getting back to my original point, I find it actually LESS work over the long haul to use Gentoo than other distros. Think about it. Take SuSE for example, though Red Hat was no different before that. For several years, I would upgrade my servers to the *.2 revisions of their releases. I went from "stable" to "stable." On the desktop, I upgraded every 6 months with their new release. This was getting expensive. (I know its "free," but I wanted to support them, and get the latest stuff as soon as I could, so I bought the packaged distro.) But what does this do to you?

I tried upgrading. Once. After that, every time I installed a new version, I would backup my configs, wipe the machine, install the new version, and then -- and this is the important part, so don't miss it -- spend the next several days getting used to the new versions of all the software installed. Most of the time, many configs would have to be rewritten because of new layouts or new package versions. All this approach did was to put off migrating to newer versions of installed packages ALL AT ONCE. With Gentoo, I find it's actually easier to simply roll forward on a piecewise basis, getting to grips with new packages as they go in.

This approach doesn't backport fixes to older versions. But, do you really want to do that? Really? If the security concern is taken care of in the new version, plus you get some new features, are you really less well off than you were before? I can understand the reservation in a mission-critical environment. I mean, if I were running my company's PDM system on Gentoo (and don't think it hasn't crossed my mind), would I really be comfortable with this approach? I've not asked myself this question until just now, and my answer is: probably not. In this situation, I would have a test instance that we could hammer on to make sure that everything worked as expected... Wait a minute... That's exactly what we do with Solaris anyway! So we've really lost nothing if we take this additional step in criticial circumstances.

I'm not trying to sway your opionion on Gentoo. If it's not working for you, there's plenty of other options, and that's exactly why there are several hundred distros to choose from. However, I know where you're coming from. I also want to stay with one of the "tier 1" distros, and there are only about 4 or 5. In the end, you have to make some hard choices, and live with the trade-offs. I'm just trying to put another point of view out there, as someone who has also worked with several other distros, and who has now lived with Gentoo for several years. Maybe this will cause someone else to understand my thinking on why I'm even more convinced that Gentoo is the right choice for me, many years on in my experience with Linux (11+).

Sorry to ramble on like this, but these are the sorts of things that keep me up at night. How lame is that?_________________Acts 17:28, "For in Him we live, and move, and have our being."

No-one involved in Gentoo is holding a gun to your head to force you to update packages at regular intervals (or if they are, you should call the police ); if you want to update only every x months then just run emerge sync every x months.

what about security update?

sugar wrote:

Why not compile binarys on your faster server, and just update from that?

Yes I do so for long time compile package such as glibc and gcc, however a compilation machine is a cost in the business world actually the compilation machine is my home pc,

I think isn't a good idea have a busy mailserver or database server compile for hours

letoff wrote:

So for now, Gentoo is definitely not a good distro for server.

You are right without glep 19 gentoo isn't a server distro
For new servers I'm using centos,

The Mad Mahdi wrote:
No-one involved in Gentoo is holding a gun to your head to force you to update packages at regular intervals (or if they are, you should call the police ); if you want to update only every x months then just run emerge sync every x months.

what about security update?

I agree that glsa-check is not as nice as Debian, but then you yourself say:

Quote:

without glep 19 gentoo isn't a server distro
For new servers I'm using centos,

ubuntu dapper with is 5 years support is very interesting too

however no other distro is so flexible as gentoo

As with anything in life, with a gain in flexibility you lose in automation. You can pay someone to do the donkey-work for you, but then you either get a pre-configured system (a la Windows, OSX, Solaris, RH), or you are relying on the hope that the contractor will understand your needs fully.

If Gentoo isn't right for you, then fine. But Gentoo is right for Gentoo users just as Debian is right for Debian users and so on.

1.) Trying to argue configuration and version incompatibility as a Gentoo issue is ridiculous. Incompatibilities between Mysql 4.0 and 4.1 are a Mysql issue, not a Gentoo one. Also, just because RHEL doesn't tell you that you need to merge your config files doesn't mean that you don't need to. Often, installing from an RPM will wipe your config files completely and replace them with the new ones. In that respect, Gentoo is "smart".

2.) I think one major issue that you are overlooking is the lifespan of RPM-based distributions. Sure it takes a little extra time to keep all of your packages up to date (and personally I think it's worth is because of how easy Portage makes it to keep stuff up to date), but think about what a pain in the ass it is to take a box offline and reinstall the new version of RedHat or Mandrake or whatever because no updates are available for your system through a decent repository. I've updated boxes through Yum and it *kind of* works, but you have a lot of stuff to fix when you're done, in my experience. I have spent hours in RPM-hell and I'm not going back! I had two servers which I installed Gentoo on in the last couple of months which ran RedHat7 on both. One of the major reasons I was able to convince my boss to let me install Gentoo was because (assuming no hardware screws up and they don't lose power) the boxes never need to be "upgraded" to a new version. Dispatching config files is WAY better than doing a reinstall to get new packages/kernel/etc.

I always liked Debian as a server distro. Security updates come through very quickly, and its binary so everything updates quickly. And major releases are so few and far between (generally a bad thing), I had very little down time for major changes. And any major changes my server went through Just Worked (tm). But then I converted my server to a server/desktop and chose Gentoo because of the flexability. For lots of servers, I'd pick Debian personally._________________Desktop: AMD Athlon64 3800+ Venice Core, 2GB PC3200, 2x160GB 7200rpm Maxtor DiamondMax 10, 2x320GB WD 7200rpm Caviar RE, Nvidia 6600GT 256MB
Laptop: Intel Pentium M, 512MB PC2700, 60GB 5400rpm IBM TravelStar, Nvidia 5200Go 64MB

As with anything in life, with a gain in flexibility you lose in automation. You can pay someone to do the donkey-work for you, but then you either get a pre-configured system (a la Windows, OSX, Solaris, RH), or you are relying on the hope that the contractor will understand your needs fully.

If Gentoo isn't right for you, then fine. But Gentoo is right for Gentoo users just as Debian is right for Debian users and so on.

gentoo is right for my desktop is very funny ,

on my servers I have to work almost every weekend to keep all of them updated so gentoo isn't good anymore for my servers, I prefer a less configurable distro such as centos,

after initial configuration I never have to change a config file, the updates are less frequent than gentoo and already in binary packages.

Now, I repeat myself, I love gentoo for his great flexibility, however for servers I feel the need for a more stable profile and, as you can see from other posts, I'm not alone

glep 19 could solve this problem offering a more stable profile ( so things such as my previous example will happen on desktop profile and not on server profile), I think was already a good improvment if I have to do a big update every time a new gentoo release is made (2 time for year).

However glep 19 seems far , so my new servers are centos or debian (for firewalls). I'm discussing on my switch from gentoo to other distro to point gentoo developers to this problem. I would very pleased if this issue was solved in near future if not there are a lot of other distro built for server usage.

With glep19 gentoo will be the best distro out of there ..., however this is only my point of view

I agree totally with Ast0r and dunkirk. Gentoo has no "major revisions" to speak of and this is a huge boon to upgrading. I love having my server upgradeable bit by bit and never having to reinstall. Upgrading to a new major version of Debian or RedHat was always a huge pain (and continues to be by what I hear). Upgrading the big bits piece by piece is far easier than doing it all at once.

In addition to that Gentoo has dispatch-conf, which is a huge time saver. It's very easy to quickly glance over changes and simply let the new versions override the old ones for anything I've never touched (and it usually does this for me) and it's generally not hard to use its simple merging capabilities for the files that I do edit. The case of a 6000-line config file is a bit atypical I think.

I would also like to say that the PHP and Apache upgrades were very good things. They simplified the configuration and have made it easier for the support teams to deal with them. It was a pain to upgrade, especially since I wanted to have my webserver up now on that specific day but it's my own fault for not paying attention.

And remember, you don't always have to emerge -u world. You can always emerge -up world and simply choose what you upgrade. Then, when you have a weekend for the bug upgrades do them.

on centos/rhel mysql version remain the same until you decide an upgrade from major version (for example from centos3 to centos4), same on debian,

so you can plan major upgrade and schedule maintenance at client's sites

in gentoo there is a major upgrade every few months: think at baselayout,apache, php,mysql and so on... more maintenance = more costs

As someone already said, just because a newer version is marked stable, you are no obligation to make this upgrade.
(/etc/portage/package.mask is your friend )

You can't have it both ways. You argue that you have to upgrade mysql from 4.0.x to 4.1.x because you want the updates, but on the other OSes, you wait and plan these major upgrades. Don't you miss the updates on them? If you mask the major versions and just get the bug fixes to the lower versions, (4.0.x mysql in this example), its pretty much the same as other distros. (Minus compile time)

If you don't like the length of compiling time or running your own portage tree, that is perfectly valid, but you have fair in your arguments. Additionally how many of the minor updates in portage are security related and are required. In Gentoo, minor versions can be bumped for small changes or fixes that don't affect most users. Binary distro usually save up these changes and release a cumulative update every so often. So again, you don't have to update always.

I use ClarkConnect (CentOS based) myself for my servers only because I find the web frontend the quickest and easiest to get things running and for making changes on hetergeneous networks.

Last edited by Headrush on Tue Apr 25, 2006 3:58 pm; edited 1 time in total

What is needed, IMO, is a configuration management utility that can (re)apply configuration changes in an intelligent way. After being blind-sided by the Apache configuration update, I started working on solving this problem for Apache, but I only got a little way into it before realizing that making it Apache specific just solved part of the problem, and then I would up too busy with "real work" to do much with it. (The initial (lame, pre-alpha grade) attempts are posted on sourceforge in project "apacheconfig").

What I'm thinking of now is an XML based "meta-configuration" utility that understands the structure of an application's configuration files and allows me to apply changes to them at a semantic level (for example, if this is PHP-CLI, set the max execution time to zero).

Then the utility, possibly driven from "etc-update" could make my configuration-specific changes to a new configuration and I'd be done with it. This approach differs from a simple patch file. When a package moves, for example, it's security settings from a section called "[General]" to "[Security]", the tool itself should be smart enough to know that my change (say, ClearPasswords = no) should be placed in the new section rather than the old global section.

This is what apacheconfig was on its way to doing... given a base config file, it would read it and all the (wildcarded) include files, find the section/directive it needed, make the change, then write the changed files back out. Unfortunately I don't think it's a suitable base for solving the larger problem; for starters it's not XML driven. (It's also my first crack at Python and thus probably a little pathetic).

Although this kid of tool would be more useful in the Gentoo frequent-update scenario than in many other environments, I see it as useful in many places. It should be distribution independent (possibly even OS independent). From a professional standpoint, my ultimate goal would be to bring a "meta-patch file" to a new Linux installation (unfortunately the OS/distro is often the customer's choice), run this tool and know that 90+% of my configuration work was done.

Does anyone know of something out there that's even close to this? As a back-burner project it may be a while before I can work on it some more.

As for the Gentoo vs. RHEL debate, it's a matter of individual preferences, but this "compile time" argument is pretty tired. I've got an old box on my network that does the compiles and serves binary distributions. In my experience any shop with 10 active servers has a pile of old boxes sitting around gathering dust. Combine them into a single stable system (use RAID on the old drives), or even a compile farm if you really really need that update before the FedEx truck arrives, and be done with it. there's lots of good documentation on setting up a binary package server -- even I can do it